From c0dd4f3911196c23ff76085161a7551cd7fbb015 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 26 Mar 2008 15:36:23 +0000 Subject: [PATCH] Better fix for policy parsing git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8361 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/changelog.txt | 2 ++ Shorewall-common/lib.cli | 2 +- Shorewall-common/macro.Rfc1918 | 10 ++++++++++ Shorewall-common/releasenotes.txt | 3 +++ Shorewall-perl/Shorewall/Policy.pm | 6 ++---- 5 files changed, 18 insertions(+), 5 deletions(-) create mode 100644 Shorewall-common/macro.Rfc1918 diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 168bbe395..d378ebe2c 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -14,6 +14,8 @@ Changes in 4.1.7 7) Fix priority mingling in tc filters. +8) Fix policy parsing. + Changes in 4.1.6 1) Deprecate IMPLICIT_CONTINUE=Yes diff --git a/Shorewall-common/lib.cli b/Shorewall-common/lib.cli index e2428d5b0..19db4bfc3 100644 --- a/Shorewall-common/lib.cli +++ b/Shorewall-common/lib.cli @@ -609,7 +609,7 @@ show_command() { if [ $# -gt 0 ]; then [ -n "$table_given" ] || for chain in $*; do if ! qt $IPTABLES -t $table -L $chain $IPT_OPTIONS; then - echo "usage $(basename $0) show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|zones} ] " >&2 + echo "usage $(basename $0) show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|zones} ] " >&2 exit 1 fi done diff --git a/Shorewall-common/macro.Rfc1918 b/Shorewall-common/macro.Rfc1918 new file mode 100644 index 000000000..85cd2a332 --- /dev/null +++ b/Shorewall-common/macro.Rfc1918 @@ -0,0 +1,10 @@ +# +# Shorewall version 4 - Rfc1918 Macro +# +# /usr/share/shorewall/macro.Rfc1918 +# +# This macro handles traffic with SOURCE or DEST reserved by RFC 1918. +# +############################################################################### +PARAM SOURCE DEST:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 +PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 DEST diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 716d584f9..691944735 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -89,6 +89,9 @@ Problems corrected in Shorewall-perl 4.1.7. /sbin/shorewall: line 723: 755 Terminated $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart +4) A POLICY of ":" in /etc/shorewall/policy would produce Perl + run-time errors. + New Features in 4.1.7. 1) If an interface fails when using balanced multi-ISP routing, the diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm index 8c384f12b..6aa27ed49 100644 --- a/Shorewall-perl/Shorewall/Policy.pm +++ b/Shorewall-perl/Shorewall/Policy.pm @@ -211,7 +211,7 @@ sub validate_policy() while ( read_a_line ) { - my ( $client, $server, $policy, $loglevel, $synparams ) = split_line 3, 5, 'policy file'; + my ( $client, $server, $originalpolicy, $loglevel, $synparams ) = split_line 3, 5, 'policy file'; $loglevel = '' if $loglevel eq '-'; $synparams = '' if $synparams eq '-'; @@ -224,9 +224,7 @@ sub validate_policy() fatal_error "Undefined zone $server" unless $serverwild || defined_zone( $server ); - my $originalpolicy = $policy; - - ( $policy , my ( $default, $remainder ) ) = split( /:/, $policy, 3 ); + my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 ); fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;